{"id":2616,"date":"2025-04-04T01:05:51","date_gmt":"2025-04-04T01:05:51","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=2616"},"modified":"2025-04-04T01:05:51","modified_gmt":"2025-04-04T01:05:51","slug":"surge-in-threat-actors-scanning-juniper-cisco-and-palo-alto-networks-devices","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=2616","title":{"rendered":"Surge in threat actors scanning Juniper, Cisco, and Palo Alto Networks devices"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

A surge in internet probes targeting devices from Juniper Networks, Cisco Systems, and Palo Alto Networks should put their admins on alert, say security experts.<\/p>\n

A threat actor is probing the internet using default credentials for a Juniper Networks router, prompting a cybersecurity expert to warn network admins to change the login combo from the factory setting if they haven\u2019t already done so.<\/p>\n

\u201cIt\u2019s sad [that a major networking company is still using a default username and password in 2025] for big, expensive products like this,\u201d Johannes Ullrich, dean of research at the SANS Institute, who noticed the surge in scans for the username \u201ct128\u201d and password \u201c128tRoutes,\u201d said in an interview.<\/p>\n

This, he said, is a well-known default account for Juniper\u2019s Session Smart Networking Platform (or \u201cSSR\u201d for \u201cSession Smart Routing\u201d).\u00a0<\/p>\n

\u201cSophisticated admins should know better [than to allow the use of default passwords]\u201d, he added.<\/p>\n

The probing took place over seven days late last month. This was a random internet scan, Ullrich said, but it would only work for this particular Juniper device if the default credentials hadn\u2019t been changed.<\/p>\n

In late 2020, Juniper announced it had struck a deal to buy the software-defined router\u2019s creator, 123 Technology, for US$450 million.\u00a0Much of the product, including the default usernames and passwords, remained unchanged after the acquisition, Ullrich said in a blog.<\/a><\/p>\n

\u201cIt looks like just a random botnet,\u201d he said of the login attempts. \u201cI have not captured the actual payload that would execute on successfully logging in, but I suspect it\u2019s some sort of cryptominer or Mirai [botnet] derivative. It doesn\u2019t look like anything especially sophisticated.\u201d<\/p>\n

Juniper was asked for comment, but no response had been received by press time.<\/p>\n

Exploit attempts on Cisco devices<\/h2>\n

At least Juniper has documented the fact that there is a default password, and admins of the SSR device have been told by Juniper to change the default credentials, Ullrich said. In contrast, Cisco Systems customers may have been caught off guard when they learned last September there was a vulnerability that exposed\u00a0a fixed password and log file through its Smart Licensing Utility software.<\/p>\n

They learned about it when Cisco disclosed two critical vulnerabilities and issued a patch. However, last month Ullrich discovered someone is trying to exploit the holes in unpatched devices. And earlier this week, Cisco issued an update to its September alert<\/a> confirming reports of attempted exploitation. Cisco continues to strongly recommend that customers upgrade to a patched software release to remediate this vulnerability.<\/p>\n

Cybersecurity experts and governments have urged manufacturers for years to stop selling products with default passwords. As far back as 2016, the U.S. Cybersecurity and Infrastructure Security Agency issued an alert on the risks<\/a>.<\/p>\n

And it\u2019s not that hard for manufacturers and application developers to avoid default passwords, Ullrich added. Some manufacturers of internet-connected consumer devices now place stickers on the back with a custom password. Another option is to have no default passwords for products, so the user has to create their own credentials when first logging in.<\/p>\n

Scanning for Palo Alto Networks portals<\/h2>\n

Meanwhile, researchers at GreyNoise this week reported seeing a recent significant surge in login scanning activity targeting Palo Alto Networks PAN-OS GlobalProtect portals. GlobalProtect is an endpoint application that allows employees to access a company\u2019s resources remotely.<\/p>\n

Over the last 30 days,\u00a0nearly 24,000 unique IP addresses have attempted to access these portals, the researchers said.<\/a>\u00a0<\/p>\n

\u201cThe pattern suggests a co-ordinated effort to probe network defenses and identify exposed or vulnerable systems, potentially as a precursor to targeted exploitation,\u201d they said, suggesting a threat actor has discovered a new vulnerability.<\/p>\n

The report doesn\u2019t say if the scanning was accompanied by login attempts.<\/p>\n

Most of the traffic came from the United States (16,249 IP addresses) and Canada (5,823), followed by Finland, Netherlands, and Russia.\u00a0However, threat actors are known to disguise their bases by leveraging compromised servers in other countries.<\/p>\n

The overwhelming majority of traffic targeted systems in the United States (23,768), with smaller volumes directed toward the United Kingdom, Ireland, Russia, and Singapore.\u00a0The spike began on March 17, the report says, with activity peaking at nearly 20,000 unique IPs per day\u00a0and remaining steady until March 26 before tapering off.\u00a0Most of the activity is suspicious, with a smaller subset flagged as malicious.<\/p>\n

\u201cThe consistency of this activity suggests a planned approach to testing network defenses,\u201d says the report, \u201cpotentially paving the way for exploitation.\u00a0Organizations using Palo Alto Networks products should take steps to secure their login portals,\u201d the researchers said.<\/p>\n\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

A surge in internet probes targeting devices from Juniper Networks, Cisco Systems, and Palo Alto Networks should put their admins on alert, say security experts. A threat actor is probing the internet using default credentials for a Juniper Networks router, prompting a cybersecurity expert to warn network admins to change the login combo from the […]<\/p>\n","protected":false},"author":0,"featured_media":2617,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-2616","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2616"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2616"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2616\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/2617"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2616"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2616"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2616"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}